The energy infrastructure is one of the most critical assets of a modern society.
Its effective operation is a pre-condition for securing energy supply for a wide range of economic and social activities.
Without energy, we cannot fuel our cars, withdraw money, run our industries or our hospitals or access the internet.
Due to the urgent need to address climate change and to put in place the necessary transition to a low-carbon economy, the energy sector is undergoing a profound transformation in terms of infrastructure and market functioning.
In addition, citizens are more and more actively participating in the energy market as consumers and decentralised producers of energy.
Traditional energy technologies are also becoming ever more connected to modern, digital technologies and networks.
This increasing digitalisation makes the energy system smarter and enables consumers to benefit better from innovative energy services.
At the same time, digitalisation creates risks by an increased exposure to cyber-attacks and cybersecurity incidents, potentially jeopardizing the security of energy supply or the privacy of consumer data.
Today, cybersecurity is very high on the political agenda and the European Commission has been very active in tackling cybersecurity challenges.
In September 2017, it adopted the Cybersecurity Package, which includes the Cybersecurity Act.
This package follows up on the EU Cyber Security Strategy of 20133 and the Directive on Security of Network and Information Systems4 of 2016.
However, what might work for the internet will not be necessarily adequate for other sectors.
In this context, it is indispensable to have a closer look at the energy sector in terms of cybersecurity and to identify and address its particularities.
Indeed, the focus should first be put in priority on energy infrastructure and grids.
They are among the most complex and most critical infrastructure serving as the backbone of our economic activities and security.
First, there are real-time requirements. Some energy systems need to react so fast that standard security measures such as authentication of a command or verification of a digital signature can simply not be introduced due to the delay these measures impose.
Second, the energy system can produce cascading effects. Electricity grids and gas pipelines are strongly interconnected across Europe and well beyond the EU.
An outage in one country might trigger black-outs or shortages of supply in other areas and countries.
Finally, the energy system is the combination of legacy systems with new technologies. Many elements of the energy system were designed and built well before cybersecurity considerations came into play.
This legacy now needs to interact with the most recent state-of-the-art equipment for automation and control, such as smart meters or connected appliances, and devices from the Internet of Things without being exposed to cyber-threats.
The European Commission is therefore addressing these specificities of the energy sector in several ways.
In the short run, it is developing sector-specific guidance to implement horizontal cybersecurity rules.
This guidance is planned to be adopted together with the Report on the State of the Energy Union in spring 2019 and aims to increase preparedness in the energy sector.
As cooperation and trust among stakeholders as well as among Member States is key when it comes to cybersecurity due to the potential cascading and cross-border effects, the Commission is also working to raise awareness about cybersecurity and to promote broad discussions among different stakeholders from the energy sector.
For this purpose, the Commission organised an event on Cybersecurity in the Energy sector in Rome in March 2017 on the occasion of the 60th anniversary of the Treaty of Rome as well as a high-level event in October 2018 in Brussels and participated to the last two editions of the International Forum on Cybersecurity in Lille.
The Commission also plans to strengthen the role of the European Energy–Information Sharing Analysis Centre (EE-ISAC) which helps utilities improve the cyber security and resilience of their grid by enabling trust-based data and information sharing.
Delivering on the Energy Union goals requires a fundamental transformation of Europe’s energy system while maintaining a high level of security.
By the end of 2018, the EU concluded the negotiations on the Clean Energy for All Europeans package which puts forward the most advanced regulatory framework to lead the clean energy transition.
It creates an optimal environment for taking advantage of the digital transformation in the energy sector while reinforcing cybersecurity.
The new regulation on electricity risk preparedness will mandate Member States to develop national risk preparedness plans and coordinate their preparation at regional level, including measures to cope with cyber-attacks.
Furthermore, the recast of the Electricity Regulation proposes to develop a network code on cyber security, to increase the resilience of the energy sector and protect the energy systems.
But as cybersecurity is a continued effort, the work of the European Commission will not stop here: it will continue in order to protect and enhance our energy infrastructure to guarantee energy is delivered securely and safely to European citizens.